This invention relates to a method and system for conducting secure financial transactions over a communications network and more particularly to a method and system for transmitting payments securely over a computer network, such as the Internet, and for transmitting sensitive information securely over public communication channels.
As is self-evident, on-line commerce has experienced tremendous growth over the last few years but even with that growth consumers are still troubled and concerned about using personal financial information and transmitting such information, such as credit card numbers and personal identification numbers, over public communications networks, such as the Internet. As a result, over the last few years, companies have struggled to find a way—the best way—to ensure the security of payments made over a computer network and to decrease the risk of theft or misuse of financial information.
For example, U.S. Pat. No. 5,883,810 entitled “Electronic Online Commerce Card With Transaction Proxy Number For Online Transactions” and assigned to Microsoft Corporation, is directed to a system which provides for each transaction a temporary transaction number and associates it with the permanent account number; the transaction number looks like a real credit card number and the customer uses that transaction number and submits it to the merchant as a proxy for the customer account number. In this matter, the customer does not have to transmit over a public network his or her real credit card number.
In the '810 patent, the merchant passes along the transaction number to the issuing institution, which in turn uses the transaction number as an index, accesses the real customer account number and processes the authorization, sending the authorization reply back to the merchant under the transaction number. As a result, risk is purportedly minimized not only because the customer only transmits a transaction number but also because the proxy number is good only for a single purchase—theft “would not greatly benefit a thief because it cannot be repeatedly used for other purchases or transactions.” Col. 2, lines 60–61.
There is a need to improve upon the prior art systems and in particular there is a need for a method and system for conducting a secure financial transaction over the Internet which avoids requiring the creation and transmission of a unique repeatedly generated transaction number to replace the transmission of the permanent account number for each conducted transaction.
According to the invention of co-pending application Ser. No. 09/809,367, filed Mar. 15, 2001, which is incorporated herein by reference, a “pseudo” account number is assigned to a customer and cryptographically linked to a consumer's payment account number. The payment account number is an account number issued by a financial institution or other organization that a consumer may use to make a payment for goods and/or services. For example, the payment account number may be the account number from a payment card, such as a credit or debit card, or from a payment application, such as an electronic cash application stored on a consumer's computer. The pseudo account number appears to be an actual payment account number to a merchant. That is, the pseudo account number has the same length as a valid payment account number and begins with a valid identification number (e.g., a “5” for MasterCard International Incorporated (“MasterCard”)). The pseudo account number is used by the customer instead of the real account number for all of his or her on-line financial transactions.
According to the invention of the co-pending application Ser. No. 09/809,367, all transactions based on pseudo account numbers are preferably cryptographically authenticated using a secret key that is unique for each account number. The authentication may be based on the private key of a public-key pair (“public-key authentication”), or based on a secret key other than a private key (“secret-key authentication”). Thus, if unauthorized persons were to ascertain any pseudo account numbers, they would be unable to make fraudulent transactions using them.
In addition, according to the invention of co-pending Ser. No. 09/833,049, a method of conducting a transaction using a payment network is provided, in which a service provider is assigned an acquirer code. More specifically, the service provider receives a first authorization request for the authorization of a transaction using a first payment account number, wherein:                (i) the first payment account number has a BIN code associated with the service provider, and is associated with a second payment account number having a BIN code associated with an issuer of said second number;        (ii) the first authorization request includes an acquirer code associated with an acquirer; and        (iii) the first authorization request is routable through the payment network to the service provider based on the BIN code of the first payment account number.        
The method further includes having the service provider respond to the first authorization request by transmitting a second authorization request for authorization of the transaction using the second payment account number, the second authorization request including an acquirer code associated with the service provider and being routable through the payment network to the issuer based on the issuer's BIN code (i.e., the BIN code of the second payment account number).
Additionally, a response to the second authorization request is received by the service provider from the issuer, where the response includes the acquirer code associated with the service provider and is routable through the payment network based on that code. A response to the first authorization request is then transmitted by the service provider to the acquirer based on the response to the second authorization request, and the response to the first authorization request preferably includes the acquirer code associated with the acquirer and is routable through the payment network based on that code.
In another preferred embodiment of the invention of co-pending Ser. No. 09/833,049, a method is provided of conducting a transaction with a merchant using a first payment account number that is associated with a second payment account number, where the method comprises: (a) generating a message authentication code based on one or more transaction details; (b) transmitting at least the first payment account number and the message authentication code to the merchant; (c) requesting by the merchant an authorization for payment of the transaction using the first payment account number, the request being formatted as if payment were tendered at a point-of-sale terminal with a conventional magnetic-stripe payment card, the message authentication code being transmitted in a discretionary data field contained in a track of the type used in the magnetic stripe of the conventional payment card; (d) responding to the authorization request for the first payment account number by requesting an authorization for payment of the transaction using the associated second payment account number; and (e) accepting or declining the authorization request for the first payment account number based on the response to the authorization request for the second payment account number and the message authentication code.
This system can still be improved upon and security can still be further enhanced to protect the messages and information being transmitted during or in connection with a financial transaction being conducted over public communications lines and such improvements can take place without the use of a pseudo or proxy account numbers.